Limitations and Precautions for Virtual System

Hardware Requirements

The Virtual System function is supported by all models.

License Requirements

By default, the FW provides a certain number of virtual systems for administrators to use. For the USG6600E and USG6700E series, if administrators need to use more virtual systems, they must purchase licenses. For details, see License Usage Guide > License Control Items.

Limitations

Most functions of the FW are available in virtual systems. For detailed function availability, see Configuration Guide > Virtual System > Function Availability for Virtual Systems. However, certain functions have some usage restrictions. Details are as follows:

• Virtual system administrators cannot log in to the device using the console port.
• The signature database and system software can only be updated on the public system.
• Virtual system administrators can configure a virtual system using the Web UI or CLI of the virtual system. However, they can only use the Web UI to import or export the virtual system configuration file.
• Virtual system administrators can use STelnet to log in to a virtual system. However, the passwords used for the login can only be generated on the public system. The SSH configurations of the public system apply to all virtual systems.
• The ports for services, including HTTP, HTTPS, and SSH, can only be set on the public system.

  The redirection mode for authentication and the authentication page can only be configured on the public system. The user management and authentication configurations of the public system apply to all virtual systems.

• PBR can be configured for inter-virtual system forwarding, but only the root system administrator can configure packet forwarding between virtual systems based on policy-based routes. Virtual system administrators do not have this permission. They cannot run the action pbr vpn-instance vpn-instance-name command but can run the undo action pbr vpn-instance vpn-instance-name command.
• A Layer-3 GE, VLAN, or VLANIF interface cannot be assigned in any of the following situations. You need to delete the configurations or dissociate the features:
  • The GE interface or VLAN has been assigned to a virtual system.
  • The GE or VLANIF interface is referenced by a policy.
  • The GE interface is an Eth-trunk member interface or switched to a Layer-2 interface.
• VNIs cannot be assigned in the following conditions. You need to delete the configurations or dissociate the features:
  • The VNI has been assigned to a virtual system.
  • The Vbdif interface corresponding to the VNI has been referenced in a policy, such as the Source NAT policy of easy IP.
• The management interface cannot be assigned to virtual system.
• The following configurations of an interface are automatically cleared when the interface is assigned to a virtual system:
  • IP address
  • IPSec
• The virtual systems function supports both IPv4 and IPv6.
• Trunk and hybrid Layer-2 interfaces and Layer-3 interfaces on which subinterfaces are created may be simultaneously used by multiple virtual systems. Therefore, the Traffic History displayed on the Dashboard of each virtual system is the total traffic of all virtual systems that use the interfaces.
• In normal mode, each packet can go through cross-virtual system forwarding only once. After you run the firewall forward cross-vsys extended command to configure the virtual system communication mode of the FW to extended mode, each packet can go through cross-virtual system forwarding for a maximum of two times.
• When virtual systems and the public system communicate with each other, you are not advised to use the IPSec service together with PBR or intelligent uplink selection. If an IPSec policy is configured on the interface for which the route matched by the traffic from a virtual system to the public system is destined, the device does not support the query of PBR or intelligent uplink selection in the public system. In this case, packets are forwarded based on the IPSec policy.
• In the virtual system mutual access scenario, if a traffic diversion table is used to implement mutual access, upstream and downstream traffic limiting is not available for the virtual systems.
• In cross-virtual system scenarios, you can run the session-log send-to-public log-type { all } command to send virtual system logs to the log server of the public system, and the public system forwards the logs to the server. Logs cannot be directly sent to the server across the virtual system.

Precautions

• Exercise caution when assigning an interface to a virtual system to prevent service interruption.
• Note the following rules when you assign public IP addresses:
  • In exclusive mode, a public IP address can be assigned only to one virtual system. In free mode, a public IP address can be assigned to multiple virtual systems.
  • The public IP address differs from the global IP address for NAT Server in the public system.
  • The public IP address differs from the IP addresses in the NAT address pool in the public system.
• In the creation of the virtual system, the FW reserves a certificate specification for it. This specification is excluded from the device certificate specification. When the virtual system has a certificate created or imported again, the certificate is included in the device certificate specification.
• In a scenario of communication between virtual systems (including between a virtual system and a root system, direct communication between two virtual systems, and communication between two virtual systems across a root system), each packet has to go through two forwarding processes, which decreases packet forwarding performance to about 50% of the performance for forwarding within one system. In extended mode, communication between two virtual systems across a virtual system is supported. That is, each packet has to go through three forwarding processes, and the packet forwarding performance is around one third of the performance for forwarding within one system.
• In an inter-virtual system forwarding scenario, a Virtual-if interface is a public interface by default. The IDs of Virtual-if interfaces are randomly assigned from available IDs in the system. In CLI mode, you can run the display interface brief command to view the virtual interfaces of a virtual system. In Web UI mode, you can view the relationships of virtual systems and Virtual-if interfaces in Interface List of the local system.